"The Most Vulnerable Smartphones of 2011" come from a range of manufacturers – Samsung, HTC, Motorola, LG and Sony, for example. All have one thing in common: failure by the manufacturer to update the smartphone's software in a timely and reliable way.

That's partly because Android is so popular; much of the reason that malware can be successful is because 56 percent of Android devices on the market are running out of date, insecure software, Bit9 reported.

Android runs on 52 percent of smartphones covered in Bit9's report, 30 percent run iOS and 20 percent run other operating systems.

None of the 12 most insecure smartphones run iOS – because of Apple's higher level of control over the OS, Bit9's report showed.

Apple is able to limit risk first by controlling the market for iOS applications and filtering it for unauthorized code.

"The challenge we had in the Android ecosystem is it's unbelievably fragmented," Svedlove said. "From a security perspective, this eco-system is broken."

Apple's iPhone running versions of iOS older than 4.3, which shipped in March of this year, gets an honorable mention as the 13th most-vulnerable phone due to their age and end-of-life status, which ends or restricts updates, the report said.

Because Android is a more open operating system and open development process, owner Google shepherds the development work of others, rather than controlling everything itself.

That leaves the market open to new developers, but also means less control over how often manufacturers apply patches.

On average, it took makers of Android devices six months to update all their devices to a new version of the OS – delays that put customers directly at risk, Svedlove said.

Samsung has the longest lag time of any major manufacturer, followed by HTC and Motorola in a close heat for second- and third-worst.